Ethical Hacking Chapter 9 Web and Database Attacks
Input validation is a result of SQL injections
True
Browser or Client side risks
affects the users system directly, such as crashing the browser, stealing information,, infecting the clients system, or having some effect on the clients system.
Distributed Denial of Service Attack (DDoS)
an attack launched simultaneously from large numbers of hosts that have been compromised and that act after receiving a command
Structured Query Language (SQL) Injections
are designed to exploit applications that supply data that is processed in the form of SQL statements designed to exploit "holes" in the application
Browser and Network based risks
attacker capturing network traffic between the client and server
Session
represents a temporary connection that a client has with the server application to accomplish some task
Server defects and misconfiguration risks
the ability to steal information form a server, run scripts or executables remotely, enumerate servers, and DoS attacks
Web applications are used to
Allow dynamic content
Info about SQL Injections
1. SQL injections are an exploit in which the attacker "injects" SQL code into an input box, form, or network packet with the goal of gaining unauthorized access or altering data 2. This technique can be used to inject SQL commands to exploit non validated input vulnerabilities in a web application database 3. This technique can also be used to execute arbitrary SQL commands through a web application
Denial of service attack (DoS)
An attack in which a service is overwhelmed by traffic so that its legitimate use is prevented or denied
SQL Injection
An attack on software applications and databases that extends valid SQL queries by adding, or injecting, specially crafted SQL statements to carry out unauthorized access to data or assets
Banner
Banner information is data that reveals telling information such as version and service data that will help an attacker
Port
Connection point on a system for the exchange of information, such as web server traffic or File Transfer Protocol [FTP]
Buffer Overflow
Error that occurs when an application, process, or program attempts to put more data in a buffer than it was designed to hold
Databases can be a victim of source code exploits
False
The stability of a web server does not depend on the operating system
False
Browsers do not display
Hidden fields
"___" are scripting languages
Javascript PHP
"___" is used to audit databases
NCC SQuirreL
which cloud computing service model provides a virtual infrastructure and some preinstalled software components
PaaS (platform as a Service)
Types of common DDoS attacks
Ping flooding attack Smurf attack SYN flooding Internet Protocol (IP) fragmentation / fragmentation attack
Which of the following challenges can be solved by firewalls
Protection against scanning
Cross-Site Scripting (XSS)
Relies on a variation of the input validation attack, but the target is different because the goal is to go after a user instead of the application or data
"___" can be caused by the exploitation of defects and code
SQL Injection
Three classes of individuals who will be interacting or concerned with the health and well being of the web server:
Server administrator Network administrator End user
Risk inherent with web servers can typically be broken into three categories:
Server defects and misconfiguration risks Browser and Network based risks Browser or Client side risks
